EIQ-2019-0008#

ID

EIQ-2019-0008

CVE

CVE-2018-3728

Description

hoek enables prototype pollution

Date

05 Feb 2019

Severity

2 - MEDIUM

CVSSv3 score

6.5

Status

✅ 2.5.0

Assessment

The hoek Node.js module versions 4.2.0 and earlier, and from version 5.0.0 to 5.0.2, make it possible for an attacker to use the merge, applyToDefaults, and applyToDefaultsWithShallow functions to pass a non-validated JSON string containing the __proto__ accessor property.

This enables arbitrary adding or modifying object prototype properties.

Modified properties are propagated through inheritance to all objects, which can result in a denial of service attack.

Mitigation

Update to hoek 4.2.1, or 6.0.0 or later.

Affected versions

2.1.0 to 2.4.0 included.

Notes

For more information, see: